More Trouble For VTech -- Kids Tablet Is 'Easy' To Hack

VTech is having a quite abysmal week following a hack that exposed data on 6.4 million children and 4.8 million adults. Not only has its stock price dipped to a year low, security researchers have found two glaring vulnerabilities in its InnoTab Max tablet for kids, and it is refusing to answer questions on whether it even has a security team.

Ken Munro, who heads up consultancy Pen Test Partners, discovered the issues with the InnoTab within a day. It was simple to find the flaw because it's been known for more than two years. The problem lies in the processor within the tablet, the Rockchip RK3168, which allowed anyone with access to the device to easily pilfer data from memory using a freely-available tool called 'rkflashtool'.

"This bug has been known about for well over two years. It’s a bit lame of VTech to continue shipping vulnerable tablets, tablets that expose children’s data," Munro wrote in a blog post today.

Researcher finds a microSD card slot in a VTech kids tablet, which could easily be prized off and stripped of sensitive data, claims a security researcher.

He also discovered a microSD slot on the motherboard, which was used to store the filesystem and user data. "Other than making for another easy route to extract sensitive data, that’s also asking for reliability trouble down the line," he added. "VTech could do a lot better with the security of their hardware that stores our children’s data."

There have been numerous signs VTech hasn't paid enough attention to security. First, the hack itself, according to a Vice Motherboard report, was perpetrated with an age-old technique - SQL injection - that firms should be prepared for. It was storing most data, including children's images and chat messages with parents, in unencrypted fashion. Its website was not protected with SSL web encryption. And its Android application used by parents to chat with their children was said to be vulnerable.

The situation appeared so concerning to Senator Edward Markey and Congressman Joe Barton they have written to the company, asking what steps it has taken to protect its customers, whether parents or their children. According to a disclosure from VTech yesterday, 2.9 million children in America were affected by the breach.

And yet despite repeated requests for comment, VTech, which recorded revenues of $1.9 billion earlier this year, is yet to say whether it has anyone dedicated to security.